OpenID Connect Fails with Keycloak #1755

Closed
opened 2020-11-30 23:19:03 +00:00 by dmallubhotla · 6 comments

I'm attempting to sign in using OpenID Connect to a local Keycloak instance. I get a redirect back to the login on the Vikunja frontend, with Keycloak logging an error that the scopes requested are invalid.

I'm attempting to sign in using OpenID Connect to a local Keycloak instance. I get a redirect back to the login on the Vikunja frontend, with Keycloak logging an error that the scopes requested are invalid.
Author

I think some digging into it suggests that Vikunja makes a request using a blank scopes parameter, which current versions of Keycloak reject. I think that other providers are laxer about it, but technically the standard says to reject such requests, if I've understood the issue correctly.

I think some digging into it suggests that Vikunja makes a request using a blank scopes parameter, which current versions of Keycloak reject. I think that other providers are laxer about it, but technically the standard says to reject such requests, if I've understood the issue correctly.
Owner

What are the exact error messages from keycloak and Vikunja (from the network tab)?

What are the exact error messages from keycloak and Vikunja (from the network tab)?
Author

As far as I can tell from the network tab, when I click "Log In With Keycloak", the request goes out to https://keycloak.example.com/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<id>&redirect_uri=https://vikunja.example.com/keycloak&response_type=code&scope=&state=whatever.

Keycloak responds to this with a 302, redirecting to

https://vikunja.example.com/keycloak?error=invalid_request&error_description=Invalid+scopes%3A+&state=whatever.

I don't see any additional logging, and it seems like vikunja redirects this back to the login page. Since Vikunja receives the response and handles the rewrite, everything after that is a 200, which makes sense. The URL that vikunja reaches is the correct auth url from Keycloak's well-known configuration.

Keycloak logs

ERROR [org.keycloak.services] (default task-1) KC-SERVICES0093: Invalid parameter value for: scope

Here's a link to a similar issue in Dokuwiki: https://github.com/cosmocode/dokuwiki-plugin-oauth/issues/89.

The behaviour in Keycloak to error on no scopes is new to version 10.

I can confirm that changing the request to include &scope=openid avoids the invalid scopes error, but I don't have enough time at the moment to fully test out a PR. Hopefully that helps, let me know if any other info would be useful!

As far as I can tell from the network tab, when I click "Log In With Keycloak", the request goes out to `https://keycloak.example.com/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<id>&redirect_uri=https://vikunja.example.com/keycloak&response_type=code&scope=&state=whatever`. Keycloak responds to this with a 302, redirecting to `https://vikunja.example.com/keycloak?error=invalid_request&error_description=Invalid+scopes%3A+&state=whatever`. I don't see any additional logging, and it seems like vikunja redirects this back to the login page. Since Vikunja receives the response and handles the rewrite, everything after that is a 200, which makes sense. The URL that vikunja reaches is the correct auth url from Keycloak's well-known configuration. Keycloak logs ``` ERROR [org.keycloak.services] (default task-1) KC-SERVICES0093: Invalid parameter value for: scope ``` Here's a link to a similar issue in Dokuwiki: https://github.com/cosmocode/dokuwiki-plugin-oauth/issues/89. The behaviour in Keycloak to error on no scopes is new to version 10. I can confirm that changing the request to include `&scope=openid` avoids the invalid scopes error, but I don't have enough time at the moment to fully test out a PR. Hopefully that helps, let me know if any other info would be useful!
konrad added the
kind/bug
label 2020-12-08 18:29:38 +00:00
Owner

I've added the openid scope in ffde50453a - could you check the latest build to see if that fixed it?

I've added the `openid` scope in https://kolaente.dev/vikunja/frontend/commit/ffde50453a7fd0929a3b3f5c5ba90675d4dc2271 - could you check the latest build to see if that fixed it?
Author

Cheers that seems to have done it (using the latest docker image).

After getting the config set up (I didn't have service.frontendurl set and instead had auth.openid.redirecturl set to https://vikunja.example.com/), it looks like it works quite smoothly. I blame that misreading of the config example on myself, because immediately above is the line about needing to be redirected to https://vikunja.example.com/auth/openid/<key>, which is why that failed.

Cheers that seems to have done it (using the latest docker image). After getting the config set up (I didn't have `service.frontendurl` set and instead had `auth.openid.redirecturl` set to `https://vikunja.example.com/`), it looks like it works quite smoothly. I blame that misreading of the config example on myself, because immediately above is the line about needing to be redirected to `https://vikunja.example.com/auth/openid/<key>`, which is why that failed.
Owner

Glad it works now!

Glad it works now!
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#1755
No description provided.